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Abstract 

Linear dependent types [S] allow to precisely capture both the extensional behaviour and 
the time complexity of A-terms, when the latter are evaluated by Krivine's abstract machine. 
In this work, we show that the same paradigm can be applied to call-by-value evaluation. A 
system of linear dependent types for Plotkin's PCF is introduced, called d£ PCFv, whose types 
reflect the complexity of evaluating terms in the so-called CEK machine. d^PCFv is proved 
to be sound, but also relatively complete: every true statement about the extensional and 
intentional behaviour of terms can be derived, provided all true index term inequalities can 
be used as assumptions. 

1 Introduction 



A variety of methodologies for formally verifying properties of programs have been introduced 
in the last fifty years. Among them, type systems have certain peculiarities. On the one hand, 
the way one defines a type system makes the task of proving a given program to have a type 
reasonably simple and modular: a type derivation for a compound program usually consists of 
some type derivations for the components, appropriately glued together in a syntax-directed way 
I/"") ■ (i.e. attributing a type to a program can usually be done compositionally). On the other, the 

specifications that can be expressed through types have traditionally been weak, although stronger 
■ properties have recently become of interest, such as security [23j [22], termination 5 , monadic 

temporal properties |17j or resource bounds |16j . But contrarily to what happens with other 
formal methods (e.g. model checking or program logics), giving a type to a program t is a sound 
but incomplete way to prove t to satisfy a specification: there are correct programs which cannot 
be proved such by way of typing. 

In other words, the tension between expressiveness and tractability is particularly evident in 
the field of type systems, where certain good properties the majority of type systems enjoy (e.g. 
syntax-directedness) are usually considered as desirable (if not necessary), but also have their 
drawbacks: some specifications are intrinsically hard to verify locally and compositionally. One 
specific research field in which the just-described scenario manifests itself is complexity analysis, 
in which the specification takes the form of concrete or asymptotic bounds on the complexity of 
the underlying program. Many type systems have been introduced capturing, for instance, the 
class of polynomial time computable functions [TSJ HI E] - All of them, under mild assumptions, 
can be employed as tools to certify programs as asymptotically time efficient. However, a tiny 
slice of the polytime programs are generally typable, since the underlying complexity class FP is 
only characterised in a purely extensional sense — for every function in FP there is at least one 
typable program computing it. 

Gaboardi and the first author have recently introduced [5] a type system for Plotkin's PCF, 
called cMPCFn, in which linearity and a restricted form of dependency in the spirit of Xi's DML 
are present: 
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• Linearity makes it possible to finely control the number of times subterms are copied during 
the evaluation of a term t, itself a parameter which accurately reflects the time complexity 
oft [7]. 

• Dependency allows to type distinct (virtual) copies of a term with distinct types. This 
gives the type system an extra flexibility similar to that of intersection types. 

When mixed together, these two ingredients allow to precisely capture the extensional behaviour 
of A-terms and the time complexity of their evaluation by Krivine's abstract machine. Both 
soundness and relative completeness hold for d£PCF|\|. 

One may argue, however, that the practical relevance of these results is quite limited, given that 
call-by-name evaluation and KAM are very inefficient: why would one be interested in verifying 
the complexity of evaluating concrete programs in such a setting? 

In this work, we show that linear dependent types can also be applied to the analysis of 
call-by-value evaluation of functional programs. This is done by introducing another system of 
linear dependent types for Plotkin's PCF. The system, called d^PCFy, captures the complexity 
of evaluating terms by Felleisen and Friedman's CEK machine [12], a simple abstract machine 
for call-by-value evaluation. d^PCFy is proved to enjoy the same good properties enjoyed by its 
sibling d£PCF|\i , namely soundness and relative completeness: every true statement about the 
extensional behaviour of terms can be derived, provided all true index term inequalities can be 
used as assumptions. 

Actually, d^PCFy is not merely a variation on d£PCFN: not only typing rules are different, but 
also the language of types itself must be modified. Roughly, d^PCFv and dfPCFu can be thought 
as being induced by translations of intuitionistic logic into linear logic: the latter corresponds to 
Girard's translation A => B =\A — o B, while the former corresponds to A => B =l(A — o B). 
The strong link between translations of IL into ILL and notions of reduction for the A-calculus 
is well-known (see e.g. [TH]) and has been a guide in the design of d^PCFy (this is explained in 
Section. [22]). 

2 Linear Dependent Types, 
Intuitively 

Consider the following program: 

dbl = fix f.Xx. ifz x then x else s(s(/(p(a;)))). 

In a type system like PCF [2T|, the term dbl receives type Nat => Nat. As a consequence, dbl com- 
putes a function on natural numbers without "going wrong" : it takes in input a natural number, 
and (possibly) produces in output another natural number. The type Nat => Nat, however, does 
not give any information about which specific function on the natural numbers dbl computes. 

Properties of programs which are completely ignored by ordinary type systems are termination 
and its most natural refinement, namely termination in bounded time. Typing a term t with 
Nat => Nat docs not guarantee that t, when applied to a natural number, terminates. Consider, 
as another example, a slight modification of dbl, namely 

div = fix f.Xx. ifz x then x else s(s(/(ir))). 

It behaves as dbl when fed with 0, but it diverges when it receives a positive natural number as 
an argument. But look: div is not so different from dbl. Indeed, the second can be obtained from 
the first by feeding not x but p(x) to /. And any type system in which dbl and div are somehow 
recognised as being fundamentally different must be able to detect the presence of p in dbl and 
deduce termination from it. Indeed, sized types [5] and dependent types [21] are able to do so. 
Going further, we could ask the type system to be able not only to guarantee termination, but 
also to somehow evaluate the time or space consumption of programs. For example, we could be 



2 



interested in knowing that dbl takes a polynomial number of steps to be evaluated on any natural 
number, and actually some type systems able to control the complexity of higher-order programs 
exist. Good examples are type systems for amortised analysis |16[ I14j or those using ideas from 
linear logic [H|3]: in all of them, linearity plays a key role. 

cI^PCFm [5] combines some of the ideas presented above with the principles of bounded linear 
logic (BLL |13]): the cost of evaluating a term is measured by counting how many times function 
arguments need to be copied during evaluation, and different copies can be given distinct, although 
uniform, types. Making this information explicit in types permits to compute the cost step by 
step during the type derivation process. Roughly, typing judgements in cJ^PCFn arc statements 
like 

h J(a) t : ! n Nat[o] -» Nat[I(a)], 

where I and J depend on a and n is a natural number capturing the number of times t uses its 
argument. But this is not sufficient: analogously to what happens in BLL, d£PCF[\i makes types 
more parametric. A type like ! n a — o r is replaced by the more parametric type ! a<n (T — o r, which 
tells us that the argument will be used n times, and each instance has type a where, however the 
variable a is instantiated with a value less than n. This allows to type each copy of the argument 
differently but uniformly, since all instances of a have the same PCF skeleton. This form of uniform 
linear dependence is actually crucial in obtaining the result which makes cI^PCFn different from 
similar type systems, namely completeness. As an example, dbl can be typed as follows in d£PCF[\i : 

hf dbl :! 6<a+ iNat[a] -o Nat[2 x a]. 

This tells us that the argument will be used a times by dbl, namely a number of times equal to 
its value. And that the cost of evaluation will be itself proportional to a. 

2.1 Why Another Type System? 

The theory of A-calculus is full of interesting results, one of them being the so-called Church- 
Rosser property: both /3 and /3rj reduction are confluent, i.e. if you fire two distinct redexes in a 
A-term, you can always "close the diagram" by performing one or more rewriting steps. This, 
however, is not a local confluence result, and as such does not imply that all reduction strategies are 
computationally equivalent. Indeed, some of them are normalising (like normal-order evaluation) 
while some others are not (like innermost reduction). But how about efficiency? 

On the one hand, it is well known that optimal reduction is indeed possible [18] . even if it 
gives rise to high overheads pQ. On the other, call-by-name can be highly inefficient. Consider, as 
an example, the composition of dbl with itself: 

dbl2 = Ax.dbl(dbl x). 

This takes quadratic time to be evaluated in the KAM: the evaluation of (dbl n) is repeated a 
linear number of times, whenever it reaches the head position. This actually can be seen from 
within d^PCF|\i, since 

hf dbl2 :! fc< iNat[a] -o Nat[4 x a]. 

where both I and J are quadratic in a. Call-by-value solves this problem, at the price of not being 
normalising. Indeed, eager evaluation of dbl2 when fed with a natural number n takes linear time 
in n. The relative efficiency of call-by-value evaluation, compared to call-by-name, is not a novelty: 
many modern functional programming languages (like OCaml and Scheme) are based on it, while 
very few of them evaluate terms in call-by-name order. 

For the reasons above, we strongly believe that designing a type system in the style of d^PCF^, 
but able to deal with eager evaluation, is a step forward applying linear dependent types to actual 
programming languages. 
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2.2 Call-by- Value, Call-by-Name and Linear Logic 

Various notions of evaluation for the A-calculus can be seen as translations of intuitionistic logic 
(or of simply-typed A-calculi) into Girard's linear logic. This correspondence has been investigated 
in the specific cases of call-by-name (cbn) and call-by-value (cbv) reduction (e.g. see the work of 
Maraist et al. [IH])- In this section, we briefly introduce the main ideas behind the correspondence, 
explaining why linear logic has guided the design of d^PCFy. 

The general principle in such translations, is to guarantee that whenever a term can possibly be 
duplicated, it must be mapped to a box in the underlying linear logic proof. In the CBN translation 
(also called Girard's translation), any argument to functions can possibly be substituted for a 
variable and copied, so arguments are banged during the translation: 

(A B)* = (L4*) -o B* 

Adding the quantitative bound on banged types (as explained in the previous section) gives rise 
to the type (! a <i<r) — ° r for functions (written [a < I] • a —° r in [8]). In the same way, contexts 
are banged in the CBN translation: a typing judgement in (MPCFn have the following form: 

%l ■ !ai<Ii01) • • • ,Xn l !a„<I„Cn t\T. 

In the CBV translation, /3-reduction should be performed only if the argument is a value. Thus, 
arguments are not automatically banged during the translation but values are, so that the /?- 
reduction remains blocked until the argument reduces to a value. In the A-calculus values are 
functions, hence the translation of the intuitionistic arrow becomes 

(A^Bf = \{A° -oB°). 

Function types in d^PCFy then become ! a <i(c — t), and a judgement has the form x\ : a±, . . . , x n : 
a n hj t : t. The syntax of types varies fairly much between cI£PCFn to d^PCFy, and consequently 
the two type systems are different, although both of them are greatly inspired by linear logic. 

In both cases, however, the "target" of the translation is not the whole of ILL, but rather 
a restricted version of it, namely BLL, in which the complexity of normalisation is kept under 
control by shifting from unbounded, infinitary, exponentials to Unitary ones. For example, the 
BLL contraction rule allows to merge the first I copies of A, and the following J ones into the 
first I + J copies of A: 

T,\ a<I A,\ a<] A{l + a/a} h B 
T,x:\ a< i +J A h B 

We write a w t =\ a< i + jA if a =\ a <\A and r =! a< jA{I + a/a}. Any time a contraction rule is 
involved in the CBV translation of a type derivation, a sum tb appears at the same place in the 
corresponding d^PCFy derivation. Similarly, the dereliction rule allows to see any type as the first 
copy of itself: 

r, A{0/a} h B 
T,\ a<i A h B 

hence any dereliction rule appearing in the translation of a typing judgement tells us that the 
corresponding type is copied once. Both contraction and dereliction appear while typing an 
application in d^PCFy: the PCF typing rule 

r h t : A^B r h u : A 
r h tu : B 

corresponds to the following ILL proof: 

z: A°^B°hz: A°^B° , 
I der 

\z: \(A°^>B°)\-z: A°^B° r°M°: \(A°-oB°) 

r°ht°: A°^B° r°hM°: A° 

r°, r°M°tt°: b° ] 

(r° = !r') . contr 

r°M°u°: B° 
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which becomes the following, when appropriately decorated according to the principles of BLL 
(writing A and B for A{0/a} and B{0/a}): 

<z: \ a<1 (A°^B°)l-z: Ag-°Bg r°M°: ! a<1 (A°^B°) 

r°ht°: A°^>B° r°hu°: A° 

r°, r M°ti°: b° 

(r°=!r'j — contr 

r°wr M°ti : B° 

This CBV translation of the application rule hence leads to the typing rule for applications in 
d^PCF v : 

rh K t:!a<i(q-^r) Ah H M:g{0/a} 
T w A 1-k+h tu : r{0/a} 

The same kind of analysis enables to derive the typing rule for abstractions (whose call-by- value 
translation requires the use of a promotion rule) in d^PCFy: 

r, x : g hK t : t 

2a<i r h I+S a<I K Ax.i :! a <l(cr -o r) 

One may wonder what I represents in this typing rule, and more generally in a judgement such as 

This is actually the main new idea of d^PCFy: such a judgement intuitively means that the value 
to which t reduces will be used I times by the environment. If t is applied to an argument u, then t 
must reduce to an abstraction Xx.s, that is destructed by the argument without being duplicated. 
In that case, I = 1, as indicated by the application typing rule. On the opposite, if t is applied 
to a function Xx.u, then the type of this function must be of the form (up to a substitution of b) 
!fc<i(!a<i^l — ° t). This means that Xx.u uses I times its arguments, or, that x can appear at most I 
times in the rcducts of u. 

This suggests that the type derivation of a term is not unique in general: whether a term t 
has type ! a <i^4 or ! a <j^4 depends on the use we want to make of t. This intuition will direct us 
in establishing the typing rules for the other PCF constructs (namely conditional branching and 
fixpoints) . 

3 d^PCFv, Formally 

In this section, the language of programs and a type system diPCFv for it will be introduced 
formally. While programs are just terms of a fairly standard A-calculus (which is very similar to 
Plotkin's PCF), types may include so-called index terms, which are first-order terms denoting nat- 
ural numbers by which one can express properties about the extensional and intentional behaviour 
of programs. 

3.1 Index Terms and Equational Programs 

Syntactically, index terms are built either from function symbols from a given untyped signature 
6 or by applying any of two special term constructs: 

i.J 

I,J,K ::= a \ f(Ii,...,I„) | £j | @K. 

a<I a 

Here, f is a symbol of arity n from <d and a is a variable drawn from a set V of index variables. 
We assume the symbols 0, 1 (with arity 0) and +, — (with arity 2) are always part of 0. An index 
term in the form 2 a <i J i s a bounded sum, while one in the form @^' J K is a forest cardinality. 
For every natural number n, the index term n is just 1 + 1 + . . . + 1. 

n times 



•5 



Index terms are meant to denote natural numbers, possibly depending on the (unknown) values 
of variables. Variables can be instantiated with other index terms, e.g. I{J/a}. So, index terms 
can also act as first order functions. What is the meaning of the function symbols from 0? It is 
the one induced by an equational program £ . Formally, an equational program £ over a signature 
is a set of equations in the form I = J where both I and J are index terms. We are interested in 
equational programs guaranteeing that, whenever symbols in O are interpreted as partial functions 
over N and 0, 1, + and — are interpreted in the usual way, the semantics of any function symbol 
/ can be uniquely determined from £. This can be guaranteed by, for example, taking £ as 
an Herbrand-Godel scheme |20) or as an orthogonal constructor term rewriting system [2]. The 
definition of index terms is parametric on and £ : this way one can tune our type system from 
a highly undecidable but truly powerful machinery down to a tractable but less expressive formal 
system. 

What about the meaning of bounded sums and forest cardinalities? The first is very intuitive: 
the value of Xi a <i ^ ^ s simply the sum of all possible values of J with a taking the values from 
up to I, excluded. Forest cardinalities, on the other hand, require some effort to be described. 
Informally, @£ J K is an index term denoting the number of nodes in a forest composed of J trees 
described using K. All the nodes in the forest are (uniquely) identified by natural numbers. These 
are obtained by consecutively visiting each tree in pre-order, starting from I. The term K has the 
role of describing the number of children of each forest node, e.g. the number of children of the 
node is K{0/a}. More formally, the meaning of a forest cardinality is defined by the following 
two equations: 

1,0 

@K 

a 

I.J + 1 

@ K 

a 

The first equation says that a forest of trees contains no nodes. The second one tells us that a 
forest of J + I trees contains: 

• The nodes in the first J trees; 

• plus the nodes in the last tree, which are just one plus the nodes in the immediate subtrees 
of the root, considered themselves as a forest. 

To better understand forest cardinalities, consider the following forest comprising two trees: 
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1 9 11 

6l 10 12 

! 
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i 



It is well described by an index term K with a free index variable a such that K{l/a} = 3; K{n/a} = 
2 for n e {2,8}; K{n/a} = 1 when n e {0,6,9,11}; and K{n/a} = when n e {3,4,5,7,10,12}. 
That is, K describes the number of children of each node. Then @°' 2 K = 13 since it takes into 
account the entire forest; (S)"' 1 K = 8 since it takes into account only the leftmost tree; K = 5 
since it takes into account only the second tree of the forest; finally, 3 K = 6 since it takes into 
account only the three trees (as a forest) within the dashed rectangle. 

One may wonder what is the role of forest cardinalities in the type system. Actually, they play 
a crucial role in the treatment of recursion, where the unfolding of recursion produces a tree-like 
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Figure 1: Call-by-value reduction of PCF terms. 



structure whose size is just the number of times the (recursively defined) function will be used 
globally. Note that the value of a forest cardinality could also be undefined. For instance, this 
happens when infinite trees, corresponding to diverging recursive computations, are considered. 

The expression [IJ^ denotes the meaning of I, defined by induction along the lines of the 
previous discussion, where p : V — > N is an assignment and £ is an equational program giving 
meaning to the function symbols in I. Since £ does not necessarily interpret such symbols as total 
functions, and moreover, the value of a forest cardinality can be undefined, [I]p can be undefined 
itself. A constraint is an inequality in the form I < J. Such a constraint is true (or satisfied) in 
an assignment p if [I]^ and [JJ^ are both defined and the first is smaller or equal to the latter. 
Now, for a subset <f> of V, and for a set $ of constraints involving variables in 0, the expression 

(f>;<f> \= £ I s= J 

denotes the fact that the truth of I ^ J semantically follows from the truth of the constraints in 
To denote that I is well defined for £ and any valuation p satisfying $, we may write (f>; <£> \=s I ■II 
instead of <j>\ $ |=£ K I. 



3.2 Programs 

Values and terms are generated by the following grammar: 

Values: v,w ::= n | Xx.t \ fix x.t 
Terms: s,t,u ::= x \ v \ tu \ s(t) | p(t) 
| if z t then u else s 

Terms can be typed with a well-known type system called PCF: types are those generated by the 
basic type Nat and the binary type constructor =>. Typing rules are standard (see [S]). A notion 
of (weak) call-by- value reduction —* v can be easily defined: take the rewriting rules in Figure [1] 
and close them under all applicative contexts. A term t is said to be a program if it can be given 
the PCF type Nat in the empty context. The multiplicative size \\t\\ of a term t is defined as follows: 



= ||Aa;.i|| = || fix x.t\ 

M 

\\tu\ 

Ht)\ 
b(t)\ 

if z t then u else s\ 



; 

2 ; 

W + IM + 2; 

||*||+2 
INI + 2; 

11*11 + Ml + HI + 2. 



Notice that the multiplicative size of a term t is less or equal than its size \t\ (which is defined 
inductively, similarly to ||i||, except for values: |n| = 2, and | fix x.t\ = \Xx.t\ = \t\ + 2). Values are 
not taken into account by the multiplicative size. Indeed, the evaluation of terms (cf. Section f3T4|) 
consists first in scanning a term until a value is reached (and the cost of this step is measured by 
the multiplicative size). Then this value is either destructed {e.g. when a lambda abstraction is 
given an argument), either duplicated (e.g. when it is itself an argument of a lambda abstraction). 
The cost of this second step will be measured by the type system d^PCFy. 
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\= £ J «= H 
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Figure 2: Subtyping derivation rules of d^PCFy. 
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Figure 3: Typing rules of diPCFy. 



3.3 The Type System 

The Language of Types The type system di?PCFv can be seen as a refinement of PCF obtained 
by a linear decoration of its type derivations. Linear and modal types arc defined as follows: 

A, B ::= cr — o t linear types 

cr, t ::= [a < 1] • A | Nat [I, J] modal types 

where I, J range over index terms and a ranges over index variables. Modal types need some 
comments. Natural numbers are freely duplicable, so Nat[l, J] is modal by definition. As a first 
approximation, [a < I] • A can be thought of as a universal quantification of A, and so a is bound 
in the linear type A. Moreover, the condition a < I says that cr consists of all the instances of 
the linear type A where the variable a is successively instantiated with the values from to I — 1, 
i.e. A{0/a}, . . . , A{1 — 1/a}. For those readers who are familiar with linear logic, and in particular 
with BLL, the modal type [a < I] • A is a generalisation of the BLL formula l a < P A to arbitrary 
index terms. As such it can be thought of as representing the type A{0/a} (x) • • • (x) A{1 — 1/a}. 
Nat [I] is syntactic sugar for Nat [I, I]. In the typing rules we are going to define, modal types 
need to be manipulated in an algebraic way. For this reason, two operations on modal types 
need to be introduced. The first one is a binary operation tb on modal types. Suppose that 
<t = [a < I] • A{a/c} and that r = [b < J] • A{1 + b/c}. In other words, a consists of the first 
I instances of A, i.e. A{0/c}, . . . , A{1 — 1/c} while r consists of the next J instances of A, i.e. 
A{I + 0/c}, . . . , A{I + J — 1/c}. Their sum a tu t is naturally defined as a modal type consisting 
of the first I + J instances of A, i.e. [c < I + J] • A. Furthermore, Nat[I, J] tb Nat[I, J] is just 
Nat [I, J] . An operation of bounded sum on modal types can be defined by generalising the idea 
above: suppose that 

a = [b < J] • A{b + 3{d/a}/c}. 

d<a 
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Figure 4: CEKpcf evaluation rules for value closures. 



Then its bounded sum Xi a <i a ^ s J us ^ [ c < Sa<i J] -J 4- Finally, 2 a <i Nat [J, K] = Nat [J, K], provided 
a is not free in J nor in K. 

Subtyping Central to d^PCFy is the notion of subtyping. An inequality relation E between 
(linear or modal) types can be defined using the formal system in Figure [2 This relation corre- 
sponds to lifting index inequalities at the type level. Please observe that E is a pre-order, i.e., & 
reflexive and transitive relation. 

Typing A typing judgement is of the form 

where K is the weight of t, that is (informally) the maximal number of substitutions involved 
in the CBV evaluation of t. $ is a set of constraints (cf. Section f3.1[) that we call the index 
context, and T is a context assigning a modal type to (at least) each free variable of t. Both 
sums and bounded sums are naturally extended from modal types to contexts (with, for instance, 
{x : a; y : t} ty {x : a', z : t'} = {x : a <&> a'; y : t; z : r'}). There might be free index variables 
in <£>, r, t and K, all of them from (p. Typing judgements can be derived from the rules of Figurc[3J 

Derivation rules for abstractions and applications have been informally presented in Section r2.2l 
The other ones are then intuitive, except the derivation rule for typing fix x.t, that is worth an 
explanation: to simplify, assume we want to type only one copy of its type (that is, K = 1). To 
compute the weight of fix x.t, we need to know the number of times t will be copied during the 
evaluation, that is the number of nodes in the tree of its recursive calls. This tree is described 
by I (as explained in Section IXTj) . since each occurrence of x in t stands for a recursive call. It 
has, say, H = (S)^' 1 1 nodes. At each node b of this tree, the a th occurrence of a; will be replaced 
by the a th son of b, i.e. by b + 1 + @£ +1 ' a I. The types have to match, and that is what the second 
premise expresses. Finally, the type of fix x.t is the type of the "main" copy of t, at the root of 
the tree (i.e., at b = 0). The weight counts all the recursive calls (i.e., H) plus the weight of each 
copy of t (i.e., the weight of t for each b < H). 

Last, the subsumption rule allows to relax the precision standards of a typing judgement. 
One can also restrict the inequalities on indexes to equalities in this rule, and thereby construct 
only precise typing judgements. Observe that the set of all rules but this one is syntax directed. 
Moreover the subsumption rule preserves the PCF skeleton of the types, and so the type system 
is itself syntax directed up to index inequalities. 

3.4 An Abstract Machine for PCF 

The call-by-value evaluation of PCF terms can be faithfully captured by an abstract machine in 
the style of CEK [12], which will be introduced in this section. 

The internal state of the CEKpcf machine consists of a closure and a stack, interacting following 
a set of rules. Formally, a value closure is a pair v = <(u; £) where v is a value and £ is an 
environment, itself a list of assignments of value closures to variables: 

£::=0 | (z~v)-£. 
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<*;0 


* 


7T 


> 




* TT 




* 


TT 


> 


(t;0 


* arg«u;0, 7r ) 


<s(t);0 


* 


77 


> 


(t;0 


* s(tt) 


<p(*);0 


* 


7T 


> 


(t;0 


* pW 


( if z £ then u else s ; £ ) 


* 


7T 


> 


<*;£> 


* fork(u , s , £ , 7r) 



Figure 5: CEKpcf contextual evaluation rules. 



A closure is a pair c = ( t ; £ ) where i is a term (and not necessarily a value) . Stacks are terms 
from the following grammar: 

7r ::= o | fun(v , tt) | arg(c , tt) 

| fork(i, w, £, 7r) | s(7r) | p(7r). 

A process P is a pair c * tt of a closure and a stack. 

Processes evolve according to a number of rules. Some of them (see Figure|U describe how the 
CEKpcf machine evolves when the first component of the process is a value closure. Other rules 
(see Figure [5]) prescribe the evolution of CEKpcf in all the other cases. 

The following tells us that CEKpcf is an adequate methodology to evaluate PCF terms: 

Proposition 3.1 (Adequacy) If t is a PCF term of type Nat, then t — »* n iff ((t; 0) * o) >* 
«n; 0> * o). 

Weights and CEKpcf Machine As it will be formalised in Section 15.31 an upper bound for 
the evaluation of a given term in the CEKpcf machine can be obtained by multiplying its weight 
and its size. This results can be explained as follows: we have seen (in Section [3.3l) that its weight 
represents the maximal number of substitutions in its CBV evaluation, and thereby the maximal 
number of steps of the form 

v * fun« Xx.t ; £ > , tt) > ( t ; (x >-> v) • £ ) * n (1) 
v * fun(( fix x.t ; £ ) , tt) > <( t ; (x >-> ( fix x.t ; £)) • £) * arg(v , tt) (2) 

in its evaluation with the CEKpcf- Between two such steps, the use of the other rules is not taken 
into account by the weight; however these other rules make the size of the process to decrease. 

4 Examples 

In this section we will see how to type some "real life" functions in d£PCFv, and what is the cost 
associated to them. 

Addition In PCF, addition can be computed as follows: 

add = fix f.Xyz. ifz y then z else s(fp(y) z) , 

and has PCF type Nat => Nat ^ Nat. A brief analysis of its evaluation, if we apply it to two 
values v and w in Nat, indicates that a correct annotation for this type in dfPCFv would be 

[a < 1] • (Nat[f] -o [c < 1] • (Nat[g] -o Nat[f + g])) 

where f and g are constant symbols representing the values of t and u respectively. Since we directly 
apply add, without copying this function, the index variables a and c are bounded with 1. This 
type is indeed derivable for add in d£PCFv, assuming that the equational program £ is powerful 
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A = Nat[ J] — o [c < 1] • (Nat[g] — o Nat[J + g]) ; C = Nat [H] —o [c < 1] ■ (Nat [g] Nat [H + g] ) 
T = {x : [a < I] • A, y : Nat[H], z : Nat[g]} ; <j> = {6, a, c} ; 4 = {6 < f + 1, o < 1, c < 1} 

<j>; (H > 1,4); j/ : Nat[H] hf 3/ : Nat[H] 

IP) 

<?4; (H =s 1, 4); x : [a < I] ■ A hf X : [a < I] ■ A cj>; (H > 1, 4); y : Nat[H] hf p(y) : Nat [J] 

(App) 

<j>; (H 1, 4); x : [a < I] ■ A, y : Nat[H] hf a: p(y) : [c < 1] ■ (Nat[g] -o Nat [J + g]) 



(») 



A;(H Ss 1,4);*: Nat[g] h^ 



Nat 



0; (H 3= 1, 4); r hf x p(y) z : Nat [J + g] 
; (H 3* 1, 4); T hf s(x p(y) 2) : Nat[H + g] 



i>; 4; j/ : Nat[H] hf 2/ : Nat[H] 



v, l i-q 
(6, a); (6 < f + 1, a < 1); (x : [a 



, , (H 0, 4); T hf z : Nat[H + g] 
■; 4; T hf if z y then 2 else s(x p(y) z) : Nat[H + 



■{If) 



< I] • A;y : Nat[H]) 



-f Az. if 



:'z 1/ then 2 else s(x p(y) z) : 
[c < 1] ■ (Nat[g] -o Nat[H + g 



■ (-°) 



(Fix) 



Nat[H + g]) 

6; 6 < f + 1; x : [a < I] ■ A hf +1 Ayz. if z j/ then z else s(x p(j/) 2) : [a < 1] • C b; b < f + 1 h£ C{fe + J/b} = A 
h ^+i+S i) < f+1 (i+i) add : [ fl < ' Nat t f ] -o [c < 1] ■ (Nat[g] -o Nat[f + g]) 



Figure 6: Typing derivation of add 



enough to assign the following meaning to the corresponding index (they all depend on a free 
index variable b): 

I = if b < f then 1 else 0; 

J = f — 6 — 1; 
H = f-b; 
K = f-6+1. 

The derivation is given in Figure [6] We omit all the subsumption steps, but the index equalities 
they use are easy to check given that the number of nodes in the tree of recursive calls is ©I' 1 1 = 
f + 1. The hnal weight is equal to 3 x (f + 1). 

Multiplication The multiplication can be easily defined using the addition: 

mult = fix x.Xyz. if z y then else add z (xj>(y) z). 

Taking the indexes I,J,H and K defined as in the previous paragraph, and using the typing judge- 
ment for add with f replaced by g and g replaced by J x g, we can assign to mult the type 

[a < 1] • Nat[f] -o [c < 1] • (Nat[g] -o Nat[f x g]) 

(see Figure[7J). The weight of mult is equal to 3 x (f + 1) + 2b<f+i M, where the meaning of M is 
"if b = f then else 3g + 1" . Thus the execution of the application of mult to two integers n and m 
in the CEKpcf machine is proportional to n x to. 



5 The Metatheory of 6£ PCF V 

In this section, some metatheoretical results about d^PCFv will be presented. More specifically, 
type derivations are shown to be modifiable in many different ways, all of them leaving the under- 
lying term unaltered. These manipulations, described in Section 15.11 form a basic toolkit which 
is essential to achieve the main results of this paper, namely intentional soundness and complete- 
ness (which are presented in Section |5"U1 and Section Types are preserved by call- by- value 
reduction, as proved in Section 15.21 
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(★) : 0; (H > 1, *); hf x(g+1) add : [a < l] ■ Nat[g] - [c < l] ■ (Nat [J xg]^ Nat[g + J x g]) 

A = Nat [J] -o [c < 1] ■ (Nat[g] -o Nat [J x g]) ; C = Nat[H] -o [c < 1] ■ (Nat[g] -o Nat[H x g]) 
T = {a; : [a < I] ■ A, y : Nat[H], z : Nat[g]} ; = {b, a, c} ; * = {6 < f + 1, o < 1, c < 1} 

0;(H^l,*);j/:Nat[H]|-f y:Nat[H] 

<fi; (H ^ 1, x : [a < I] ■ A \-q x : [a < I] ■ A 0; (H > 1, <&); y : Nat[H] hf p(y) ■ Nat[J] 



0; (H > 1, *); x : [a < I] • : Nat[H] hf x p(j/) : [c < 1] • (Nat[g] Nat [J x g]) 

(★) 0;(H > 1, : Nat[g] hf z : Nat[g] : 0; (H > 1, <t>); a : Nat[g] hf 2 : Na 


t[g] 


0; (H > l,*) ; r hf x(g+1) add z : [c < 1] • (Nat [J x g] — ° Nat [g + J x g]) 0; (H $= hf I p(j/) * : Nat [J x 


g] 


0; (H > l,*);r hf x(g+1) add z (xp(y)z) : Nat[H x g] 

0;<J>;2, : Nat[H] hf ?/:Nat[H] 0; (H < 0, *); V hf : Nat[H x g] ! 

0; <t>; T hfi if z y then else add (x p(y) z) z : Nat[H x g] 


— 


(b, a); (b < f + 1, a < 1); (x : [a < I] • A; y : Nat[H]) hf +M Az. if z y then else add (x p(y) z) z : 

[c < 1] • (Nat[g] -o Nat[H x g]) ^ ^ 


6; b < f + 1; x : [a < I] • A hf +1+M \yz. if z y then else add (x p(y) z) z : [a < 1] ■ C 

c ( Fix ) 

h ^+i+S 6 < f+1 (i+i+M) mult Nat[f] - [c < 1] ■ (Nat[g] ^ Nat[f x g]) 



■ (App) 

(App) 



Figure 7: Typing derivation of mult 



0; $ hf 7T : (<r, r) 0; $ hf cr' E cr 0; <t> h £ r E r' 0; * h £ I J 




0; $ hf o : (t, t) 0;*hf tt: (ct',t') 

0; $ hf c : cr{0/a} 0; * h| tt' : (r{0/a}, r') 0; $ hf v : [a < 1] ■ (cr -o r) 0; * h| V : (r{0/a}, • 


0; * hf +K arg(c , tt') : ([a < 1] • {a — r), r') 0; * hf +K fun(v , tt') : (cr{0/a}, r') 
0;N = 0,* hf (t; O : a 0; M 2s 1, * hf < tt ; € > : a 0; <t> h| tt' : (cr, r) 




0; $ hf +K fork(t , tt , £ , tt') : (Nat[M, N], r) 
0; <t> hf tt : (Nat[M + 1, N + 1], r) 0; <I> hf tt : (Nat[M - 1, N - 1], r) 


0;<t> hf s(tt) : (Nat[M,N],r) 0; <£> hf p(tt) : (Nat[M, N], r) 



Figure 8: d^PCF v : Lifting Typing to Stacks 
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5.1 Manipulating Type Derivations 

First of all, the constraints $ in index, sub-typing and typing judgements can be made stronger 
without altering the rest: 

Lemma 5.1 (Strengthening) If 0; \1/ \=g $, then the following implications hold: 

1. If (f>; $ I 5$ J, then <p; * hf I «S J; 

2. If <fi; $ o E t, then ^hfffE r; 
5. // </»;$; T hf t : a, then </>;<!'; T hf t : a. 

Proof. Point [TJ is a trivial consequence of transitivity of implication in logic. Point [2j can be 
proved by induction on the structure of the proof of <f>\ $ he a E r, using point [TJ Point [3] can 
be proved by induction on a proof of <j>; hf * : ff, using points [TJ and [3] □ 

Strengthening is quite intuitive: whatever appears on the right of h£ should hold for all values of 
the variables in <f> satisfying 3>, so strengthening corresponds to making the judgement weaker. 

Fresh term variables can be added to the context P, leaving the rest of the judgement un- 
changed: 

Lemma 5.2 (Context Weakening) <j>; <£>; V hf t : r implies 0;$;T, A hf t : r. 

Proof. Again, this is an induction on the structure of a derivation for <f>; $; T hf t : t. □ 

Another useful transformation on type derivations consists in substituting index variables for 
defined index terms. 

Lemma 5.3 (Index Substitution) If 0; $ hg I then the following implications hold: 

1. If (a, <P); $, \= £ J < K, then </>; $, *{I/a} \= £ J{I/a} < K{I/a} ; 

2. If (a, 0); $, * h £ a E r, i/ien 0; $, *{I/a} hf cr{I/a} E T {I/a} ; 

5. // (a, 0); $, ¥; T hf * : a, then 0; $, *{I/a}; r{I/a} hf {I/o} * : a{I/a} . 

Proof. 1. Assume that (/>; $ hg I ^ and (a, </>);$, \I/ hg J < K, and let p be an assignment 
satisfying $,\l/{I/a}. In particular, p satisfies $, thus fljp is defined, say equal to n. For any 
index H, [H{I/a}H = [H]p aH ^„. Hence (p, a i— > n) satisfies Q,^, and then it also satisfies 
J *S K. So [J{I/o}]f = [J]f, OMn < [Kj£ ^ n = [K{I/a}]*, and p satisfies J{I/a} < K{I/a}. 
Thus 0; $, #{I/a} h £ J{I/a} s£ K{I/a}. 

2. By induction on the subtyping derivation, using [JJ 

3. By induction on the typing derivation, using [TJandCD □ 

Observe that the only hypothesis is that <j>; $ |=£ I \ (definition in Section l3~TT) : we do not require 
I to be a value of a that satisfies "P. If it does not the constraints in $, ^{I/a} become inconsistent, 
and the obtained judgements are vacuous. 

5.2 Subject Reduction 

What we want to prove in this subsection is the following result: 

Proposition 5.4 (Subject Reduction) If t — *■„ u and 4>; $; hfj t : t, then <f>; $; hfj u : t. 

Subject Reduction can be proved in a standard way, by going through a Substitution Lemma, 
which only needs to be proved when the term being substituted is a value. Preliminary to the 
Substitution Lemma are two auxiliary results stating that derivations giving types to values can, 
if certain conditions hold, be split into two, or put in parametric form: 

Lemma 5.5 (Splitting) $;T hfj v : T\ tb T2, then there exist two indexes Ni,N2, and two 
contexts Ti, T2, such that 4>; 4>; Ti hfj. v : Ti, and 4>; 4> hg Ni + N2 ^ M and </>; $ hg r E Ti tb T2 . 
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Proof. If v is a primitive integer n, the result is trivial as the only possible decomposition of a 
type for integers is Nat [I, J] = Nat [I, J] ty Nat [I, J]. 
If v = Xx.t, then its typing judgement derives from 

( a ^);(o<I,$);A,i:(7h £ Kt:T (3) 
^^TE^A (4) 

a<I 

with T\ tb r 2 = [a < I] • a —° r and M = I + 2j <i Hence I = Ii + I 2 , and t\ = [a < Ii] • a —° r, 
and t 2 = [a < I 2 ] • <r{Ii + a/a} — ° r{Ii + a/a}. Since (a, </>); (a < Ii,$) hg (a < 1,$), we can 
strength the hypothesis in (|3|) by Lemma \5. II and derive 

(a, 4>); (a < Ii, A,x : cr h-K * : t 

<fr *; 2a<i 1 A l-f 1+ E a<Il k A ^ : [a < Ix] • a r 

On the other hand, we can substitute a with a + Ii in © by Lemma 15.31 and derive 

(a, 0); (a < I 2 , $); A{a + Ii/a}, x : a{a + Ii/a} +| {a+Il/a} t : r{a + \ x /a] 

fa *: 2a<I 2 A { a + Il/a} h f 2 +2 a<1 , K{a+Ii/a} XxI : [ a < ^1 ' a i a + V^} ~° T i a + 

Hence we can conclude with T\ = 2j a <ii A > ^2 = 2a<i 2 A i a + Ii/a}, Ni = Ii + 2a<i ^ an< ^ 



N 2 =I 2 +I] a<l2 K{ a + I 1 / a }. _ 

Now, if u = fix x.t, then its typing judgement derives from 

(6, ef>); (b < H, $); A,x : [a < I] • A hf t : [a < 1] • B (5) 

0;$h £ H^®£' K I (6) 

(a, 6, 0); (a < I, 6 < H, $) h £ S{0/a}{@^ +1 ' a I + b + 1/6} c A (7) 

(a, 0); (a < K, $) h £ B{0/a}{@° b ' a 1/6} != C (8) 

^NreE kH A (9) 



with n tb r 2 = [a < K] • C, and M = H + Xib<H J - Hence K = K x + K 2 , with n = [a < K x ] • C, 
and r 2 = [a < K 2 ] • C{a + K x /a}. Let Hi = @°' Kl I and H 2 = @f uK2 1. Then Hi + H 2 = I, 
and H 2 is also equal to @°' K2 1{Hi + b/b}. Just like the previous case, we can strengthen the 
hypothesis in JS|), ([7]) and © and derive 

(b,<f>); (b < Hi,$); A,x : [a < I] • A hf t : [a < 1] • B 

(a, 6, (j,)- (a < I, b < Hi, $) he B{0/a}{@ b b +1 ' a l + b + 1/b} E A 

(a, </>); (a < K u $) h £ B{0/o}{®g' a 1/6} E C 

fa $ 5 2 6 < Hl A ^H 1+Sb<Hi j f ix x.t : [a < K x ] • C 

Moreover, if we substitute 6 with 6 + Hi in (0 and we strengthen the constraints (since ([6]) implies 
(f>; $, 6 < H 2 |=g $, 6 + Hi < H), we get 

(a, 6, 0); (a < I, 6 < H 2 , $) h £ S{0/a}{@|; +1 ^ I + 6 + 1/6}{Hi + 6/6} c A{Hi + 6/6}. 

But (@|; +1 ^I+6+l){Hi+6/6} = @f 1+b+1 ' a I+Hi+6+l and @^ 1+6+1 '° I = @^ +1 ' a (I{Hi +6/6}). 
Hence B{0/a}{@j; +1 ' a I + 6 + 1/6}{Hi + 6/6} = £{Hi + 6/6}{0/a}{@ b+1 ' a (I{Hi + 6/6}) + 6 + 1/6}. 
In the same way we can substitute a with a + Ki in (|5|): 

(a, 0); (a < K 2 , $) h £ B{0/a}{@°' a+Kl 1/6} c C{a + K x /o} 

But @°< Q+Kl I = Hi +@" 1 '°I = Hi +@°' Q I{Hi + 6/6}, and so 5{0/a}{@^ Q+Kl 1/6} is equivalent 
to S{Hi + 6/6}{0/a}{@^ Q I{Hi + 6/6J/6}. Finally, by substituting also 6 with 6 + H x in © we 
can derive 
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(6, 0); (6 < H 2 , $); A{Hi + 6/6}, x : ([a < I] • A){Hi + 6/6} ^f {Hl+b /6} *:[«<!]• #{Hi + 6/6} 
(a, 6, 0); (a < I, 6 < H 2 , $) hg B{Hi + &/&}{0/a}{@£ +1 ' a (I{Hi + 6/6}) + 6 + 1/6} E A{Hi + 6/6} 
(a, 0); (a < K 2 , $) hg -B{Hi + 6/6}{0/ Q }{@°' a I{Hi + 6/6}/6} E= C{a + Ki/a} 

*; S & <h 2 A ( H i + fe A} i-H 2 +s b<H , J{Hl+ b/6} f ix x± : [° < K 2] • + K i/«1 

So we can conclude with T 1 = 2 a<Hi A > r 2 = Sq<h 2 M a + H i/a}, Ni = Hi + £ a<Hl J and 
N 2 = H 2 + 2 a<H2 J{« + Hi/a}. ' □ 

Lemma 5.6 (Parametric Splitting) J/ 0; $; T hfj u : 2 c <j 17 * s derivable, then there exist an 
index N and a context A suc/i that one can derive c,(f>;c < J, <&; A w : a, and 0; 4> Ng 2 c <j ^ ^ 
M and 0;$ hg T rz 2 C<J A. 

Proof. The proof uses the same technique as for Lemma 15.51 If v is a lambda abstraction or a 
fixpoint, then Xi c <j a * s 011 tne f° rm [ a < S C <J ^] ' ^ > wnere [a < L] • C{a + Xi c '< c L{c'/c}/a} = ct. 
Then the result also follows from Strengthening (Lemma l5.1[) and Index Substitution (Lemma l5.3[) : 
for the lambda abstraction, substitute a with a + Xi c '<c M c '/ C } in For the fixpoint consider 
the index H' satisfying the equations H'{0/c} = @°' L{0/c} I and H'{i + l/c} = @H{i/c},L{i+i/c} L 
Then substitute 6 with 6 + 2j c '<c H'{c'/c} (and add the constraint c < J in the context) in ([3]) 
and ([T]), and substitute a with a + Yj& <c^{ c ' / c ) m © to derive the result. □ 

One can easily realise why these results are crucial for subject reduction: whenever the sub- 
stituted value flows through a type derivation, there are various places where its type changes, 
namely when it reaches instances of the typing rules (App), (— °), (If) and (Rec): in all these cases 
the type derivation for the value must be modified, and the splitting lemmas certify that this is 
possible. We can this way reach the key intermediate result: 

Lemma 5.7 (Substitution) If (f>;Q;T,x : a |— t : r and 0; <&; h £ v : a are both derivable, 
then there is an index K such that <f>; $; T h^ t[x := v] : t and 0; $ )=g K < M + N. 

Proof. The proof goes by induction on the derivation of the judgement <p;^;T,x : a h ^ t : r, 
making intense use of Lemma 15.51 and Lemma 15.61 □ 

Given Lemma 15.71 proving Proposition ^. 4l is routine: the only two nontrivial cases are those where 
the fired redex is a /3-redex or the unfolding of a recursively-defined function, and both consist in a 
substitution. Observe how Subject Reduction already embeds a form of extensional soundness for 
d^PCFy, since types are preserved by reduction. As an example, if one builds a type derivation for 
|— I t : Nat [2, 7], then the normal form of t (if it exists) is guaranteed to be a constant between 2 
and 7. Observe, on the other hand, than nothing is known about the complexity of the underlying 
computational process yet, since the weight I does not necessarily decrease along reduction. This 
is the topic of the following section. 

5.3 Intentional Soundness 

In this section, we prove the following result: 

Theorem 5.8 (Intensional soundness) For any term t, if 

hn t : Nat [I, J] 

then t ||" m where n «S }t\ ■ ([Hf + 1) and [if s? m sS [J] £ . 

Roughly speaking, this means that d£PCFv also gives us some sensible information about the time 
complexity of evaluating typable PCF programs. The path towards Theorem l5.8l is not too short: 
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Syntactic size of terms: 

|n| = 2 
\Xx.t\ 
| fix x.t\ 
\x\ 
\tu\ 
\s(t)\ 

lp(*)l 

I if z t then u else s| 



1*1 + 2 
1*1 + 2 
2 

\t\ + \u\ + 2 
1*1 + 2 
1*1 + 2 

Itl + Id + Isl + 2 



Size of closures: 


K*;OI 


= 11*11 


Size of processes: 


C * 7T 


= |c| + |tt| 


Size of stacks: 






|o 


1 = o 




|fun(v , 7r) 


1 = M 


+ kl 


|arg(c, tt) 


1 = |c| 


+ 7r| + 1 


fork(t , u , £ , tt] 




+ \\u\\ + 7r| + 1 


|s(+ 


1 = I 71 "! 


+ 1 




1 = I 71 "! 


+ 1 



Figure 9: Size of processes 



it is necessary to lift d^PCFv to a type system for closures, environments and processes, as denned 
in Section [231 Actually, the type system can be easily generalised to closures by the rule below: 

(f>; <£>; xi : oi, . . . , x n : a„ h^t :t 

<f>; $ hj, v, : o i 

$ H<+2 1<<<n J* <^ ; {^1 ^ vi; • • • ;x„ ^ v„}> : t 

Lifting everything to stacks, on the other hand, requires more work, see Figure [5] We say that 
a stack tt is (</>;$)- acceptable for a with type r with cost I (notation: 0;$ \-f tt : (a, r)) when 
it interacts well with closures of type a to product a process of type r. Indeed, a process can be 
typed as follows: 

0;$ hf tt : (ct,t) 
0;$ c : a 

& * + J+K c * tt : r 

This way, also the notion of weight has been lifted to processes, with the hope of being able to 
show that it strictly decreases at every evaluation step. Apparently, this cannot be achieved in 
full: sometimes the weight of a process does not change, but in that case another parameter is 
guaranteed to decrease, namely the process size. The size |c * tt\ of c * tt, is defined as |c| + \ir\, 
where: 

• The size |c| of a closure ; £) is the multiplicative size of t (c/. Section [3.2[1 . 

• The size of \tt\ is the sum of the sizes of all closures appearing in tt plus the number of 
occurrences of symbols (different from o and fun) in n. 

The formal definition of |c * tt\ is given in Figure 

The size of a process decreases by any evaluation steps, except the two ones performing a 
substitution ^} and ([2]). However, these two reduction rules make the weight of a process decrease, 
as formalised by the following proposition. By the way, these are the cases in which a box is opened 
up in the underlying linear logic proof. 

Proposition 5.9 (Weighted Subject Reduction) Assume P > R and cj>; <!> hf P : r. Then 
0; $ h f R : r and 

• either (f>; $ Ng I = J and |P| > |R|. 

• or cf>; $ \=£ I > J and |P| + |s| > |R|, where s is a term appearing in P. 

Proof. 1. If P > R with a non substitution rule (any rule of Figure 0] or Figure [S] except ([l} 
and (H])), then it is easy to check that |P| > |R|. Moreover, in all these cases P and R have 
the same type and the same weight. We detail some cases: 
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• If P = v * arg(c, 7r) > c * fun(v, n) = R, then the typing of P derives from 
;$h| c : <T {0/a} 
$h£ tt' : (r {0/ a },r) 



$h £ a rz [ a < 1] • (er -o t ) 
J = H + L 

<p;$ hf arg(c, tt) : (a,r) 



6;$|-K v : o- 
4;$|= e I = J + K 



hf v * arg(c, tt) : t 



Hence since subtyping is derivable (Lemma ??) we can derive for R: 
(j>; $ h| v : [a < 1] • (ct -o t ) 
0;$h£^: (r {0/ a },T) 

0; $ h| c : a {0/a} 
</, ; $ N£ I = H + L + K 



^l+k fun(v, tt) : (CT {0/a},r) 



0; $ |— i c * fun(v , tt) : r 
If P = (tu; £ ) * n > (i;0* ar §(( u I O i 7r ) = then the typing of P derives from 

<fi; $;xi : fii, . . . ,x„ : /j„ h§ t '■ [a < N] • k -o 77 
</>;$; a?i : 771, . . . , x„ : r?„ h| " : k{0/ci} 

(/>; $ he <Tj E /ttj w 77^ 

0; $ (= £ N > 1 

<f>; $ he 7/{0/a} E a 



, X n '. (T n I 



tu : <7 



6; $ hf v, : crj 



0; $ hf tt : (<r, r) 
6; $ h £ I = J + H + K + £. J< 



0;$ hf <tu; O * tt : t 

In particular, since subtyping is derivable, cf>; $ hf. : /ij ty 77^ for each i. By Lemma 15. 5 
(that can be trivially extended to closures), it means that there are some < Xj,Nj such 
that 



0; $ hM; Vi : /ij 
0; $ I-n, Vj : th 
0; $ hf Mi + N, = L 

Hence both these judgements are derivable: 

(/>;®;xi : . . . ,x n : jj, n \-§*t : [a < 1] ■ k -o 77 



; $ Vj : /Jj 



' * K+£ i<Tl Mi 



and 



; $; xi : 771, . . . , x„ : ?7„ hn w : K{0/a} 0; $ h^ v-i : % 



6;$ h £ 



,; O : «{0/a} 



Hence we can derive the following typing judgement for R (notice that subtyping is derivable 
for the stacks, with contravariance in the first type): 



(u; O- «{0/a} 



• <& h f 



<*; O : [a < 1] • « -° 77 
$h £ I = K + J + H + Ei(Mi + Ni) 



0;$hf tt : ( V {0/a},T) 



;4> 



hf +H+s . Nj arg«u; £> , tt) : ([a < 1] • k -o 77, r) 



;$hf <i;0 * arg«u;^>,7r):T 



2. If P > R with a substitution rule... 



□ 



Splitting and parametric splitting play a crucial role here, once appropriately generalised to value 
closures. 
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Given Proposition [5j21 Theorem 15.81 is within reach: the natural number |s| in Proposition [521 
cannot be greater than the size of the term t we start from, since the only "new" terms created 
along reduction are constants in the form n (which have null size) . 

5.4 (Relative) Completeness 

In this section, we will prove some results about the expressive power of d^PCFy, seen as a tool to 
prove intentional (but also extensional) properties of PCF terms. Actually, d£PCFy is extremely 
powerful: every first-order PCF program computing the function / : N — > N in a number of steps 
bounded by g : N — > N can be proved to enjoy these properties by way of d^PCFv, provided two 
conditions are satisfied: 

• On the one hand, the equational program £ needs to be universal, meaning that every partial 
recursive function is expressible by some index terms. This can be guaranteed, as an example, 
by the presence of a universal program in £ . 

• On the other hand, all true statements in the form <f>; 4> |=g I s$ J must be "available" in 
the type system for completeness to hold. In other words, one cannot assume that those 
judgements are derived in a given (recursively enumerable) formal system, because this would 
violate Godel's Incompleteness Theorem. In fact, ours are completeness theorems relative to 
an oracle for the truth of those assumptions, which is precisely what happens in Floyd-Hoare 
logics [§]. 

PCF Typing The first step towards completeness is quite easy: propositional type systems in 
the style of PCF for terms, closures, stacks and processes need to be introduced. All of them can 
be easily obtained by erasing the index information from d£PCFy. As an example, the typing rule 
for the application looks like 

r hpcF t : a => (3 r hpcF u : a 
T hpcF tu : j3 

while processes can be typed by the following rule 

hpcF 7T : (a, 13) t-pcF c : a 
hpcF c * 7T : f3 

Given any type a (respectively any type derivation 8) of d^PCFy, the PCF type (respectively, 
the PCF type derivation) obtained by erasing all the index information will be denoted by (] cr |) 
(respectively, by (\8\)). Of course both terms and processes enjoy subject reduction theorems with 
respect to PCF typing, and their proofs are much simpler than those for d^PCFy. As an example, 
given a type derivation 8 for I— pcf P : Nat (we might write (5t> h pcf P : Nat) and P > R, a type 
derivation 8' for hpcF R : Nat can be easily built by manipulating in a standard way 5; we write 
S > 8'. 

Weighted Subject Expansion The key ingredient for completeness is a dualisation of Weighted 
Subject Reduction: 

Proposition 5.10 (Weighted Subject Expansion) Suppose that S\> h pcf P : cy, that 5 > 5' , 
and that 6' > 0; $ hf R : r where \&\ = 5' . Then there is 

(9 [></>;$ hj P : r 

with f\6\j = 8 and 0; $ \=g J < I + 1. Moreover, 9 can be effectively computed from 5, 8' and 8' . 

Proving Proposition 15.101 requires a careful analysis of the evolution of the CEKpcf machine, 
similarly to what happened for Weighted Subject Reduction. But while in the latter it is crucial 
to be able to (parametrically) split type derivations for terms (and thus closures), here we need 
to be able to join them: 
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5i> h 



PCF ^1 



Nat • 



$2> hpcF P2 : Nat 

I 

I 

Y 

<5n-l> I-pcf Pn-i : Nat • 



5«> I-pcf P„ : Nat ■ 



h> hf, Pi 



^2 > hf 2 P 2 
A 

I 
I 

-i> hi, R 



Nat[m] 



Nat[m] 



n— 1 



Nat [m] 



■ #n> hf P n : Nat [to] 



Figure 10: Completeness for Programs: sketch of the Proof 



Lemma 5.11 (Joining) If £ is universal, then 



Si > 



;<E>;rih&. v : n 

(l*iH(N) 

(/)■ $ h £ r e r x w r 2 

(/>; $ n w r 2 E r 
0; $ Ni + N 2 s$ M 



;$;fh 



M 



Lemma 5.12 (Parametric Joining) Suppose that £ is universal. Then 



a, 4>; a < I, $; A |~n v '■ °~ 

</>> $ F=£ 2 a <I N ^ M J 



^;fh 



M 



Observe that the Joining Lemma requires the two type derivations to be joined to have the same 
PCF "skeleton". This is essential, because otherwise it would not be possible to unify them into 
one single type derivation. 



Completeness for Programs We now have all the necessary ingredients to obtain a first 
completeness result, namely one about programs (which are terms of type Nat). Suppose that t 
is a PCF program such that t — >* to, where to is a natural number. By Proposition 13. 11 there is a 
sequence of processes 

Pi > P 2 > ... > P„, 

where Pi = ((£; 0) * o) and P„ = ((m; 0) * o). Of course, |— P, : Nat for every i. For 
obvious reasons, hp Pn : Nat [to]. Moreover, by Weighted Subject Expansion, we can derive each 
of |— f Pi : Nat[m], until we reach h- f Pi : Nat[m], where Ii =g n (see Figure [TU] for a graphical 
representation of the above argument). It should be now clear that one can reach the following: 



Theorem 5.13 (Completeness for Programs) Suppose that 
that £ is universal. Then, t : Nat[m], where k < n. 



pcf t : Nat, that t Jj™ m and 



Uniformisation and Completeness for Functions Completeness for programs, however, is 
not satisfactory: the fact (normalising) PCF terms of type Nat can all be analysed by d^PCFy 
is not so surprising, and other type systems (like non-idempotent intersection types [TT]) have 
comparable expressive power. Suppose we want to generalise relative completeness to first-order 
functions: we would like to prove that every term t having a PCF type Nat => Nat (which terminates 
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when fed with any natural number) can be typed in d^PCFv- How could we proceed? First of all, 
observe that the argument in Figure [TUl could be applied to all instances of t, namely to all terms 
in {tn | beN}. This way one can obtain, for every n 6 N, a type derivation S n of 

hf n t : [a < J n ] • Nat[K n ] -o Nat[H„] 

where J„ can be assumed to be 1, while K„ can be assumed to be n. Moreover, the problem of 
obtaining 6 n from n is recursive, i.e., can be solved by an algorithm. Surprisingly, the infinitely 
many type derivations in {S n \ n e N} can be turned into one: 

Proposition 5.14 (Uniformisation of type derivations) Suppose that£ is universal and that 
{S n }nEN is a recursively enumerable class of type derivations satisfying the following constraints: 

1. For every n e N, 6 n > I— f t : a n ; 

2. all derivations have the same skeleton 

Then there is a type derivation 9\> a; 0; \-f t : a such that \=£ I{n/a} = I n and \=£ o~{n/a} = o~„ 
for all n. 

Uniformisation of type derivations should be seen as an extreme form of joining: not only a finite 
number of type derivations for the same term can be unified into one, but even any recursively 
enumerable class of them can. Again, the universality of £ is crucial here. We are now ready to 
give the following: 

Theorem 5.15 (Completeness for functions) Suppose that h pcf t : Nat => Nat 7 that in JJ. fc " 
m„ for all n e N and that £ is universal. Then, there is an index H such that a; 0; |— f t : [b < 
1] • Nat [a] — o Nat[H] ; where \=£ I{n/a} < k„ and \=£ H{n/a} = m„. 

6 Further Developments 

Relative completeness of d^PCFv, especially in its stronger form (Theorem I5.15P can be read 
as follows. Suppose that a (sound), unitary formal C system deriving judgements in the form 
0; <!> \-£ I < J is fixed and "plugged" into d^PCFy. What you obtain is a sound, but necessarily 
incomplete formal system, due to Godel's incompleteness. However, this incompleteness is only 
due to C and not to the rules of d£PCFv, which are designed so as to reduce the problem of proving 
properties of programs to checking inequalities over £ without any loss of information. 

In this scenario, it is of paramount importance to devise techniques to automatically reduce the 
problem of checking whether a program satisfies a given intentional or extensional specification 
to the problem of checking whether a given set of inequalities over an equational program £ 
hold. Indeed, many techniques and concrete tools are available for the latter problem (take, as 
an example, the immense literature on SMT solving), while the same cannot be said about the 
former problem. The situation, in a sense, is similar to the one in the realm of program logics for 
imperative programs, where logics are indeed very powerful [5], and great effort have been directed 
to devise efficient algorithms generating weakest preconditions [10 . 

Actually, at the time of writing, the authors are actively involved in the development of relative 
type inference algorithms for both d^PCFu and d^PCFv, which can be seen as having the same role 
as algorithms computing weakest preconditions. This is however out of the scope of this paper. 

7 Conclusions 

Linear dependent types are shown to be applicable to the analysis of intentional and extensional 
properties of functional programs when the latter are call-by-value evaluated. More specifically, 
soundness and relative completeness results are proved for both programs a and functions. This 
generalises previous work by Gaboardi and the first author [H], who proved similar results in 
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the call-by-name setting. This shows that linear dependency not only provides an expressive 
formalism, but is also robust enough to be adaptable to calculi whose notions of reduction are 
significantly different (and more efficient) than normal order evaluation. 

Topics for future work include some further analysis about the applicability of linear dependent 
types to languages with more features, including some form of inductive data types, or ground 
type references. 
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